Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
10-05-2022 23:51
Static task
static1
General
-
Target
5e9aba7aa4cb5b012889435a0bdaf3ac311ff6c7545b5c156f7c3cd3e3510f34.exe
-
Size
253KB
-
MD5
a6481e8a071be497473fd37fdabe8d83
-
SHA1
64ca16d365f80e529446583a8900b7b28d356487
-
SHA256
5e9aba7aa4cb5b012889435a0bdaf3ac311ff6c7545b5c156f7c3cd3e3510f34
-
SHA512
1c96776e99411ae50df9cbd534eba221440e6363798458d4668580a0da0dbb5bf37848aad7f19e4de04f907f784492622c88a8f9b770541e9456950b5e259b81
Malware Config
Extracted
xloader
2.6
arh2
hstorc.com
blackountry.com
dhrbakery.com
dezhouofit.com
defipayout.xyz
ginas4t.com
byzbh63.xyz
qrcrashview.com
mialibaby.com
enhaut.net
samainnova.com
yashveerresort.com
delfos.online
dungcumay.com
lj-counseling.net
fliptheswitch.pro
padogbitelawyer.com
aticarev.com
sederino.site
bestplansforpets-japan3.life
radicallysimplesupps.com
sandbagmaker.com
misdcf.xyz
nbpz.xyz
floridasunbreaks.com
justfinishesofcolorado.com
homemethtestkit.com
chaquetashapticas.com
zodiactshirt.com
tees.email
zxzx999.com
tempepdf.com
watchusroll.com
parotacenter.com
assistcourse.online
paulstilingroup.com
cnbcfx.com
mooncore.xyz
laplugnation.com
gosti24.com
cthomassolutions.com
rkhubs.com
aboutpier.com
multimediaroomandboard.com
iamparrot.com
wifitest.info
nounworld.com
xpartner.biz
128grandviewdrivenewportnsw.com
bakiin.com
suitcell.com
onehitgamerstudios.com
bathingsuitsshoppingus.com
wingstarifa.com
ccasudqi.com
epiconscious.com
ponponshoes.com
cicom.tech
safetynetinc.net
recanto.xyz
sellsidelite.net
kevmoinesproperties.com
hdwallpaperpics.life
57gznfw.xyz
abtys6.online
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2544-136-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/2544-139-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/4892-145-0x00000000010A0000-0x00000000010CB000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
ggytbnywzd.exeggytbnywzd.exepid process 4776 ggytbnywzd.exe 2544 ggytbnywzd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ggytbnywzd.exeggytbnywzd.exemsdt.exedescription pid process target process PID 4776 set thread context of 2544 4776 ggytbnywzd.exe ggytbnywzd.exe PID 2544 set thread context of 1060 2544 ggytbnywzd.exe Explorer.EXE PID 4892 set thread context of 1060 4892 msdt.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
ggytbnywzd.exemsdt.exepid process 2544 ggytbnywzd.exe 2544 ggytbnywzd.exe 2544 ggytbnywzd.exe 2544 ggytbnywzd.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe 4892 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1060 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
ggytbnywzd.exemsdt.exepid process 2544 ggytbnywzd.exe 2544 ggytbnywzd.exe 2544 ggytbnywzd.exe 4892 msdt.exe 4892 msdt.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ggytbnywzd.exemsdt.exedescription pid process Token: SeDebugPrivilege 2544 ggytbnywzd.exe Token: SeDebugPrivilege 4892 msdt.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
5e9aba7aa4cb5b012889435a0bdaf3ac311ff6c7545b5c156f7c3cd3e3510f34.exeggytbnywzd.exeExplorer.EXEmsdt.exedescription pid process target process PID 1640 wrote to memory of 4776 1640 5e9aba7aa4cb5b012889435a0bdaf3ac311ff6c7545b5c156f7c3cd3e3510f34.exe ggytbnywzd.exe PID 1640 wrote to memory of 4776 1640 5e9aba7aa4cb5b012889435a0bdaf3ac311ff6c7545b5c156f7c3cd3e3510f34.exe ggytbnywzd.exe PID 1640 wrote to memory of 4776 1640 5e9aba7aa4cb5b012889435a0bdaf3ac311ff6c7545b5c156f7c3cd3e3510f34.exe ggytbnywzd.exe PID 4776 wrote to memory of 2544 4776 ggytbnywzd.exe ggytbnywzd.exe PID 4776 wrote to memory of 2544 4776 ggytbnywzd.exe ggytbnywzd.exe PID 4776 wrote to memory of 2544 4776 ggytbnywzd.exe ggytbnywzd.exe PID 4776 wrote to memory of 2544 4776 ggytbnywzd.exe ggytbnywzd.exe PID 4776 wrote to memory of 2544 4776 ggytbnywzd.exe ggytbnywzd.exe PID 4776 wrote to memory of 2544 4776 ggytbnywzd.exe ggytbnywzd.exe PID 1060 wrote to memory of 4892 1060 Explorer.EXE msdt.exe PID 1060 wrote to memory of 4892 1060 Explorer.EXE msdt.exe PID 1060 wrote to memory of 4892 1060 Explorer.EXE msdt.exe PID 4892 wrote to memory of 1856 4892 msdt.exe cmd.exe PID 4892 wrote to memory of 1856 4892 msdt.exe cmd.exe PID 4892 wrote to memory of 1856 4892 msdt.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e9aba7aa4cb5b012889435a0bdaf3ac311ff6c7545b5c156f7c3cd3e3510f34.exe"C:\Users\Admin\AppData\Local\Temp\5e9aba7aa4cb5b012889435a0bdaf3ac311ff6c7545b5c156f7c3cd3e3510f34.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\ggytbnywzd.exeC:\Users\Admin\AppData\Local\Temp\ggytbnywzd.exe C:\Users\Admin\AppData\Local\Temp\jnzqcmqg2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\ggytbnywzd.exeC:\Users\Admin\AppData\Local\Temp\ggytbnywzd.exe C:\Users\Admin\AppData\Local\Temp\jnzqcmqg3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ggytbnywzd.exe"3⤵PID:1856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5hhhsr31fl38xu0xw4oFilesize
171KB
MD5f841f8a21fa59b0cd196bc9872bdc25e
SHA1f98264aaa0fac0cc2753e2c99bb3d44e841213b7
SHA2561e4d1f543e7f5e23e2270bf6c2f5460a0de2ab0179fcb4d55f166cc5930d885f
SHA512984d848ec07da5290d07b935bdfa12f7266133ebb9c6bfcaae51b7ab22981db8f15d8f5d028f18ec39e1db379660eb18ec4b63f52a4fc1f635c86a2449f6edc4
-
C:\Users\Admin\AppData\Local\Temp\ggytbnywzd.exeFilesize
74KB
MD51a86c6002f3c1faa1236da59ead3890f
SHA15c1354c71d2e5e5cf21d2cc64208dadb375fb34e
SHA256deeca01ebece259db77f5034fba5bebb0df954172e5318dc3ade94593d83e21b
SHA512a738edca53949f7a63939b77007611dcdec6fb0bd86c36ae3df5f28dfb847ad41377484972fd209183cd213411ff86a6db66360b65496a41f6cdc06bcc876764
-
C:\Users\Admin\AppData\Local\Temp\ggytbnywzd.exeFilesize
74KB
MD51a86c6002f3c1faa1236da59ead3890f
SHA15c1354c71d2e5e5cf21d2cc64208dadb375fb34e
SHA256deeca01ebece259db77f5034fba5bebb0df954172e5318dc3ade94593d83e21b
SHA512a738edca53949f7a63939b77007611dcdec6fb0bd86c36ae3df5f28dfb847ad41377484972fd209183cd213411ff86a6db66360b65496a41f6cdc06bcc876764
-
C:\Users\Admin\AppData\Local\Temp\ggytbnywzd.exeFilesize
74KB
MD51a86c6002f3c1faa1236da59ead3890f
SHA15c1354c71d2e5e5cf21d2cc64208dadb375fb34e
SHA256deeca01ebece259db77f5034fba5bebb0df954172e5318dc3ade94593d83e21b
SHA512a738edca53949f7a63939b77007611dcdec6fb0bd86c36ae3df5f28dfb847ad41377484972fd209183cd213411ff86a6db66360b65496a41f6cdc06bcc876764
-
C:\Users\Admin\AppData\Local\Temp\jnzqcmqgFilesize
4KB
MD5c80d72ff5634420064095398d5044ba9
SHA1eae9cca26c2027e4706e0079f533d57312afe080
SHA256eff27c3b368bdc2a2af24a546d4b05cfda6090380f3f0c553549438d36026c84
SHA512338854ad70c4b2f2123b1a438c0b29876ff20d65b6ae9f1fa0182298ea1957c90d96cd4793de39a177bded39039f366011e32fea2d63f264cc94136399461e68
-
memory/1060-149-0x0000000002760000-0x00000000027FE000-memory.dmpFilesize
632KB
-
memory/1060-142-0x0000000002C50000-0x0000000002DB2000-memory.dmpFilesize
1.4MB
-
memory/1856-146-0x0000000000000000-mapping.dmp
-
memory/2544-139-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2544-136-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2544-141-0x00000000005B0000-0x00000000005C1000-memory.dmpFilesize
68KB
-
memory/2544-140-0x0000000000BC0000-0x0000000000F0A000-memory.dmpFilesize
3.3MB
-
memory/2544-135-0x0000000000000000-mapping.dmp
-
memory/4776-130-0x0000000000000000-mapping.dmp
-
memory/4892-143-0x0000000000000000-mapping.dmp
-
memory/4892-144-0x0000000000630000-0x0000000000687000-memory.dmpFilesize
348KB
-
memory/4892-145-0x00000000010A0000-0x00000000010CB000-memory.dmpFilesize
172KB
-
memory/4892-147-0x0000000003150000-0x000000000349A000-memory.dmpFilesize
3.3MB
-
memory/4892-148-0x0000000002EF0000-0x0000000002F80000-memory.dmpFilesize
576KB